It was actually a rebranding of an existing framework, but yep; separate codebase.
On Fri, Sep 4, 2015 at 12:51 PM, David Gawron <dgaw...@us.ibm.com> wrote: > Dave, > > Thanks for the quick reply. It looked like Struts 2 was a rewrite so I > assumed it was very unlikely that the same vulnerability existed in Struts > 1, but I needed to ask. > > -Dave- > > > > > From: Dave Newton <davelnew...@gmail.com> > To: Struts Users Mailing List <user@struts.apache.org> > Date: 09/03/2015 05:01 PM > Subject: Re: Is the vulnerability documented in CVE-2015-5169 also > applicable to Struts 1? > > > > There's no such thing as `devMode` in Struts 1. > > Struts 1 vulnerabilities would be in Struts 1 announcements, although with > the EOL, announcements and fixes may never happen. > > Struts 1 and Struts 2 have essentially zero in common. > > Dave > > > On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgaw...@us.ibm.com> wrote: > > > The security bulletin for CVE-2015-5169 ( > > https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. > Anyone > > know if the vulnerability also exists in Struts 1 in some form? I > realize > > Struts 1.x are no longer supported and that is why the bulletin doesn't > > cover those releases. I grabbed the 1.3.10 code and searched for the > > devMode property (that property appears to be involved in the > > vulnerability) and did not find any refs. Searching for that property > in > > 2.x yields lots of references and leads me to believe the devMode > > functionality was added in Struts 2. If so, then that is good but not > > conclusive evidence the vulnerability is not in Struts 1. I'd > appreciate > > hearing any info others have on CVE-2015-5169 and Struts 1. > > > > -Dave- > > > > > > > -- > e: davelnew...@gmail.com > m: 908-380-8699 > s: davelnewton_skype > t: @dave_newton <https://twitter.com/dave_newton> > b: Bucky Bits <http://buckybits.blogspot.com/> > g: davelnewton <https://github.com/davelnewton> > so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton> > > > > -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton <https://twitter.com/dave_newton> b: Bucky Bits <http://buckybits.blogspot.com/> g: davelnewton <https://github.com/davelnewton> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>